Home Explore Help
Register Sign In
OWEALs
/
dinit
mirror of https://github.com/davmac314/dinit.git
2
0
Fork 0
Files Issues 1 Wiki
Branch: master
Branches Tags
dinit
/
doc
/
SECURITY

SECURITY 3.5 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. Security concerns
    2. 

  2. -----------------
    3. 

  3. 

  4. Trust and assumptions
    5. 

  5. ---------------------
    6. 

  6. 

  7. Dinit does assume that most input it receives is trusted and not produced maliciously. This
    8. 

  8. includes:
    9. 

  9. 

  10. - service descriptions, including service names
    11. 

  11. - "environment" file
    12. 

  12. - commands received via the control socket
    13. 

  13. 

  14. Since it is trusted, Dinit will do no or minimal validation/sanitisation on these. Tools which
    15. 

  15. allow creation or modification of these inputs should do so with care. (The control socket is
    16. 

  16. treated with a little more care, in an attempt to guard against buggy or partially compromised
    17. 

  17. clients, but untrusted applications/users should *not* be granted access to the socket).
    18. 

  18. 

  19. Dinit when run as system manager (naturally) also trusts and relies on the general integrity of
    20. 

  20. the system on which it runs. It cannot defend against a fully compromised system and does not
    21. 

  21. attempt to do so. It does *not* trust or rely on aspects of the system that are (or should not
    22. 

  22. be) controlled by non-administrative users. In other words, Dinit should be secure but does not
    23. 

  23. by itself aim to provide *additional system* security (except by having features to run services
    24. 

  24. more securely).
    25. 

  25. 

  26. Dinit does not expect user identities to change during operation. If a service is configured to
    27. 

  27. run as user xyz, the numeric ID of user xyz may be determined when the service is loaded rather
    28. 

  28. than when the service is started. If the same ID is re-assigned to a different user, Dinit might
    29. 

  29. run the service as that other user, create logfiles owned by that other user, etc.
    30. 

  30. 

  31. 

  32. Specific concerns and details
    33. 

  33. -----------------------------
    34. 

  34.  
    35. 

  35. Dinit is designed to allow control by one system user. In the case of a system instance, this is
    36. 

  36. the root user. Of course, the unix model allows users to change identity and so regular users can
    37. 

  37. control a system dinit instance using sudo or su, for example.
    38. 

  38. 

  39. Essential security is enforced by the system, not by Dinit itself. The socket used to control
    40. 

  40. dinit is owned by a particular user (the user who starts dinit) and the permissions on this socket
    41. 

  41. are set so that only the owning user can connect to the socket. According to the Linux unix(7)
    42. 

  42. manual page, "older" BSDs do not honour socket permissions; on such systems, presumably the
    43. 

  43. permissions on the containing directory at least are checked (so it is necessary to place the
    44. 

  44. socket in a directory that is inaccessible to non-root users to ensure secure operation). This
    45. 

  45. does not appear to be a concern for the various current *BSD systems that I have looked at.
    46. 

  46. 

  47. In general it should be assumed that a process that is able to open the control socket (or
    48. 

  48. otherwise obtain an open connection to the socket) will be able to execute arbitrary code as root
    49. 

  49. (or rather, as the user which dinit is running as). That said, errors or missing checks in the
    50. 

  50. control protocol handling which could cause unspecified or undefined behaviour are considered a
    51. 

  51. security concern (since they potentially allow minor flaws in clients to become arbitrary code
    52. 

  52. execution within the dinit daemon).
    53. 

  53. 

  54. Dinit service descriptions may specify output files (sockets, logfiles) and these are opened
    55. 

  55. without (or with minimal) checks. A malicious user in control of a service description could cause
    56. 

  56. arbitrary system files to be overwritten.
    57. 

  57. 

  58. 

  59. Reporting security issues
    60. 

  60. -------------------------
    61. 

  61. 

  62. Bearing the above in mind, any security issues in Dinit should be reported via email to:
    63. 

  63. 

  64.     davmac@davmac.org
    65. 

  65.     
    66. 

  66. I will endeavour to respond promptly, but please allow a reasonable time frame before wider
    67. 

  67. disclosure.
    68.